Information Notice of Personal Data Controller

Information for the client for promissory note guarantors – natural persons who run or who do not run business activity

Prime Car Management S.A., based in Gdańsk (80-308) ul. Polanki 4 (“Company”) hereby states that with respect to your personal data acquired by the Company, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (hereinafter accordingly: “personal data” and “GDPR”), the Company has become and remains the controller of such acquired personal data.

The Company has appointed a data protection officer who can be contacted at the following address:
Data Protection Officer, Prime Car Management S.A. ul. Polanki 4, 80-308 Gdańsk,
– e-mail address:

The Company processes your data because of the necessity of establishing a security in the form of an appropriate agreement or of a relevant statement of will from you (hereinafter jointly “Security agreement”), in relation to the concluded contract for a product or service offered by the Company (hereinafter: “Contract

The Company may also obtain, supplement, verify or update your data based on:

1. publicly available registers, business and credit information offices or other bases which may be used by the Company pursuant to the provisions of the applicable law or your consent;

2. information about you, including personal data, held by other companies of the capital group of PKO Bank Polski S.A.; the basis for the exchange of data within this Group is your consent, while for risk management – the statutory or legitimate interests of companies subject to the exchange, in connection with the applicable regulations of the common law.

Legal bases for data processing

The personal data obtained from you are processed lawfully, and their processing legal basis are:

1. consent – i.e. your voluntary consent to the processing of your data under Article 6(1)(a) of the GDPR;

2. pre-contractual requirements – i.e. processing is necessary in order to take steps at your request in order to accept a promissory note guarantee as a contract performance security, as specified in Article 6(1)(b) of the GDPR;

3. contractual requirements – i.e. processing is necessary for the performance of the security agreement and the execution of a promissory note guarantee, as specified in Article 6(1)(b) of the GDPR;

4. statutory requirements – i.e. processing is necessary for the Company to comply with its legal obligations under the legal provisions, as specified in Article 6(1)(c) of the GDPR; 

5. legitimate interests of the controller – i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller, as specified Article 6(1)(f) of the GDPR.

Purpose of data processing

Based on the above legal bases for data processing, the Company processes your data for the following purposes:

1. for the purposes indicated in the consent – on the basis of such consent – in this case you may withdraw your consent at any time, which will not affect the legality of the processing performed on the basis of your consent before its withdrawal; the refusal to consent or its withdrawal will prevent the Company from processing your data for the purposes indicated in the consent; 

2. for the purpose of analysing the possibility of concluding the Contract and a related security agreement – based on pre-contractual requirements;

3. for the purpose of assessing your credibility as a promissory note guarantor – based on pre-contractual requirements;

4. for the purpose of performing the security agreement or the promissory note guarantee, including the handling of related inquiries and complaints, and executing your orders – based on contractual requirements;

5. for the purpose of predicting your ability to perform the promissory note guarantee as a security, and hence the possibility of concluding the Contract contemplated by the Company, including by building and analysing your profile as well as making predictions – based on legitimate interests of the controller;

6. for the purpose of complying with anti-money laundering and anti-terrorist financing regulations and obligations imposed on obligated institutions and, in the event of concluding the Contract, also for the purpose of complying with legal regulations, e.g. tax settlements – based on statutory requirements;

7. for the purpose of asserting and defending against claims relating directly or indirectly to the Contract, inter alia in relation to the related security – based on legitimate interests of the controller;

8. for the purposes of ensuring the effectiveness, legality and security of the business activity carried out by the controller and the processing of personal data, in certain cases related to the building and analysing your profile – based on legitimate interests of the controller;

9. for the purpose of marketing the Company’s products and services (including, in particular, financing services, as well as insurance mediation services), which may be in certain cases preceded by the establishment of your profile and its analysis by the Company, during the term of the contract – based on legitimate interests of the controller or after the expiry/termination of the contract or – if the contract is not concluded if you have given your consent in this respect;

10. for the purpose of handling requests sent using the contact form or other available communication channels – based on pre-contractual requirements or based on legitimate interests of the controller, depending on the subject matter of a request; and for the purpose of handling complaints

The period of processing

The period of processing of the collected personal data is related to the purposes indicated above. In view of the above, personal data will be processed for the longer of the following periods: 

1. for the period in which data must be stored under legal regulations or

2. for the period of limitation for any claims, the pursuit of which requires data availability.

Entities to whom data may be disclosed

Personal data obtained may be disclosed in the course of their processing for the purposes indicated above – to entities other than the Company, i.e.:

1. to companies of the PKO Bank Polski S.A. Capital Group, of which the Company is a member; the current list of such entities is available at, in particular to PKO Leasing S.A. based in Łódź, al. Marszałka E. Śmigłego-Rydza 20 or PKO Bank Polski S.A. based in Warsaw at ul. Puławska 15, for the following purposes:
a) administration of human resources as well as conducting analyses and implementing process solutions relevant to the optimisation of the business activity of the capital group, based on terms and conditions established in the agreements concluded between entities within the capital group;

b) execution of legitimate interests of the PKO Bank Polski S.A. Capital Group, resulting from the rights of the entities from this group to exchange information to prevent fraud or effective risk management and financial reporting within the capital group, in connection with the applicable laws;

c) indicated in your consent to the processing of personal data.

As a result of making such data available by the Company, the entity from the capital group receiving these data will become, from the moment of their reception, an independent controller and will process these data for the purposes indicated in this point. With respect to PKO Leasing S.A. and PKO Bank Polski S.A., the principles of data processing and your rights resulting from this fact are described on the websites of PKO Leasing S.A. and PKO Bank Polski S.A. in the tabs dedicated to personal data protection (GDPR).

2. to entities providing services to the Company which are important for the Company to conduct business activity, e.g. IT or operational service providers, auditors, advisors (including legal advisors), and to entities that are entitled to obtain information on the basis of legal regulations.

3. to Masterlease Capital Group entities, the current list of which can be found at, to analyse and implement process solutions relevant for optimising business operations and to pursue legitimate interests in the exchange of information for fraud prevention, effective risk management as well as financial reporting and contract handling. 

Data processing principles

The processing of your data by the Company is based on a voluntary basis; however, the refusal to provide data may make it impossible to take the actions you have requested.

Your personal data may be processed using analytical models in an automated manner, including profiling, for risk analysis and marketing purposes. As a result, we will be able to apply to you a simplified processing procedure or implement solutions that support liability servicing, protect the assets of the Company and its stakeholders or present you with a customized offer of products and services offered by the Company.

Realization of data persons’ rights

In cases and on principles set out in the provisions on the protection of personal data, you have the right to access, rectify or delete your data, restrict the processing of your data, object to the processing of personal data based on a legal basis in the form of legitimate requirements of the controller, as well as transfer of personal data.

If you do not agree with the content of the decision taken by automated means, you have the right to reconsider the subject matter of the analysis, taking into account additional information provided by you and with the participation of a substantively competent representative of the Company.

You can exercise these rights by sending a relevant request by post to the following address:
– ul. Polanki 4, 80-308 Gdańsk or
– by e-mail to:

Right to lodge a complaint

Notwithstanding the foregoing, you have also the right to lodge a complaint with the competent supervisory authority (President of the Office for Personal Data Protection), specified in the currently applicable act regulating the principles of personal data protection.

Transfer data outside the European Economic Area (EEA)

Please be advised that it may also be necessary to transfer your personal data outside the European Economic Area (EEA), due to the potential possibility of some of our suppliers or auditors being the recipients of the data to operate there.

In any such case, before transferring the data, however, we will ensure that, as part of ensuring data security, our suppliers or auditors guarantee a high level of personal data protection by obliging these entities to use standard contractual clauses adopted by the European Commission and confirming the existence of effective data protection enforcement mechanisms, required by the European Union law.

You have the right to request us to provide you with a copy of the appropriate security measures (protection measures) that we apply in connection with the transfer of your data outside the EEA, by directing your inquiry to the above-mentioned address of the Data Protection Officer.

Contact us